Spike: How might we integrate the Oxeye static reachability functionality into CA

Summary

Oxeye has a POC that provides Static reachability for Java and Python projects. We would like to integrate this into the groupcomposition analysis product.

Before this happens we should understand the technical implementation and develop an implementation plan.

Static Reachability

GitLab advanced SAST with custom SCA ruleset and sca enabled (also known as Oxeye LightZ-AIO) , runs after build in order to extract the loaded/ in use packages in customer's repository.

Currently ,Python and Java are both supported , for more details read here